Franken, Leahy: Time for Data Breach, Notification Legislation

Sen. Al Franken (D-Minn.), who presided over portions of a Judiciary Committee hearing on data breaches summed up the tenor of the times when he said it was clear such breaches were a systemic problem, an assessment shared by Committee chairman Patrick Leahy (D-Vt.).

There was less unanimity about what to do about it.

Retailers at the hearing talking about their high-profile breaches—from Target and Neiman Marcus—cautioned against mandating federal data breach standards given the changing nature of the threat and the need for flexible responses. But Franken said he believed that data breach standards legislation could be written in a "flexible" manner and that Congress needed to act.

Federal Trade Commission chairwoman Edith Ramirez seconded that.

Ramirez said that the FTC could use help from Congress in three areas: 1) civil penalty authority; 2) jurisdiction over nonprofits; and 3) rulemaking authority to deal with "evolving risks and harms."

To put an exclamation point on the problem, she pointed out in her testimony that in 2012 alone, 16.6 million people—or 7% of the U.S. population 16-plus—had been victims of identity theft.

Sen. Dianne Feinstein (D-Calif.) pointed out, with some frustration, that she had first introduced a breach notification bill in 2003 and such a bill had yet to pass. She said she had not gotten cooperation from industry, which had consistently fought notification efforts. "People deserve to know their data has been hacked. That is the big resistance in the business community."

She thanked Target and Neiman Marcus for being willing to testify, but gave Target some grief for not individually notifying customers about the breach. John Mulligan, CFO of Target, pointed out that the company had publicized the breach and that it had been on the front pages of every major newspaper. He suggested that had been sufficient to notify their "guests."

Franken agreed that notification legislation is necessary. He has cosponsored an effort by Leahy to pass such a bill.

Leahy, seeking support for his bill, pointed out at the hearing that a Verizon report found that there had been more than 600 publicly disclosed data breaches in 2013. "American consumers deserve to know when their private information has been compromised and what a business is doing in response to a cyberattack," he said.

Sen. Richard Blumenthal (D-Conn.) conceded there would never be an "impenetrable lock on the door" when it came to data security, but he said the locks on current retailer doors are a lot less sophisticated than they could be given current technology. "Industries have some real soul-searching about whether they have sufficiently protected data," he said.

Sen. Amy Klobuchar (D-Minn) (Target is based in Minnesota), said that data breaches can happen to anyone and said the first order of business is to "find the crooks who did this."